diff options
authorPablo Neira Ayuso <pablo@gnumonks.org>2013-12-13 15:18:56 +0100
committerPablo Neira Ayuso <pablo@gnumonks.org>2013-12-13 15:23:04 +0100
commit87b3eeaed7dfd321e1964d44019d4c7e6ae88f48 (patch)
parent9b1c0804d967a0d32217503756a67be84b6e6d17 (diff)
osmux: delete message from output list before calling tx_cb
Valgrind complains about a possible use after free: ==12800== Invalid read of size 4 ==12800== at 0x4073DF6: osmux_tx_sched (linuxlist.h:119) ==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261) ==12800== by 0x453F967: ??? ==12800== Address 0x453f710 is 48 bytes inside a block of size 145 +free'd ==12800== at 0x402750C: free (vg_replace_malloc.c:427) ==12800== by 0x4064ADE: talloc_free (talloc.c:609) ==12800== by 0x405AAAA: msgb_free (msgb.c:72) ==12800== by 0x8052492: scheduled_tx_bts_cb (osmux.c:196) ==12800== by 0x4072CF8: osmux_tx_cb (osmux.c:554) ==12800== by 0x4073F03: osmux_tx_sched (osmux.c:582) ==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261) ==12800== by 0x453F967: ??? The problem is that osmux_tx_sched may immediately call osmux_tx_cb for the first extracted RTP message from the osmux batch, which releases the message after that. Remove the message from our list of messages to be transmitted before the message is passed to the tx callback. Reported by Mattias Lundstrom.
1 files changed, 1 insertions, 2 deletions
diff --git a/src/osmux.c b/src/osmux.c
index 5cd586c..a2c123c 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -599,10 +599,9 @@ osmux_tx_sched(struct llist_head *list,
LOGP(DLMIB, LOGL_DEBUG, "scheduled transmision in %lu.%6lu "
"seconds, msg=%p\n", when.tv_sec, when.tv_usec, cur);
+ llist_del(&cur->list);
osmux_tx(cur, &when, tx_cb, data);
timeradd(&when, &delta, &when);
- llist_del(&cur->list);